packages icon
=== TCPFLOW

by Jeremy Elson <jelson@circlemud.org>

For the latest information on tcpflow, please see:
http://www.circlemud.org/~jelson/software/tcpflow/

Or, subscribe to the tcpflow mailing lists; see
http://sourceforge.net/mail/?group_id=8327


== What is tcpflow?

tcpflow is a program that captures data transmitted as part of TCP
connections (flows), and stores the data in a way that is convenient
for protocol analysis or debugging.  A program like 'tcpdump' shows a
summary of packets seen on the wire, but usually doesn't store the
data that's actually being transmitted.  In contrast, tcpflow
reconstructs the actual data streams and stores each flow in a
separate file for later analysis.

tcpflow understands sequence numbers and will correctly reconstruct
data streams regardless of retransmissions or out-of-order delivery.
However, it currently does not understand IP fragments; flows
containing IP fragments will not be recorded properly.

tcpflow is based on the LBL Packet Capture Library (available at
ftp://ftp.ee.lbl.gov/libpcap.tar.Z) and therefore supports the same
rich filtering expressions that programs like 'tcpdump' support.
It should compile under most popular versions of UNIX; see the INSTALL
file for details.


tcpflow stores all captured data in files that have names of the form

            128.129.130.131.02345-010.011.012.013.45103

where the contents of the above file would be data transmitted from
host 128.129.131.131 port 2345, to host 10.11.12.13 port 45103.



== What use is it?

I originally wrote this program to capture the data being sent by
various programs that use undocumented network protocols in an attempt
to reverse engineer those protocols.  RealPlayer (and most other
streaming media players), ICQ, and AOL IM are good examples of this
type of application.

In tinkering with it, I later also found tcpflow to be useful for
checking to see what cookies my browser was sending to various sites,
looking at the MIME headers of HTTP requests people are sending to my
web server, and verifying that various connections to my machine that
were supposed to be encrypted actually *were* encrypted.


== Security Implications

Although I wrote tcpflow to help the Forces of Good, in the wrong
hands it can certainly be used for the Forces of Evil.  In the wrong
hands this program can be used to do things like read incoming and
outgoing mail, and sniff passwords.  I have chosen to release it
anyway, because crackers already have tools specifically optimized for
doing "evil" network sniffing easily, and this program will most
likely not make their lives any easier.

Theoretically, the Good Guys might be able to use programs like this
to monitor their networks for evidence of attacks.  Such Good Guys are
directed to software such as Vern Paxson's Bro
<ftp://ftp.ee.lbl.gov/papers/bro-usenix98-revised.ps.Z>, which is
specifically designed to do network-based intrusion detection.  Also,
you should be aware that there are certain problems that make network
intrusion detectors inherently unreliable in the face of a
sufficiently advanced attacker; for more information, see
http://www.secnet.com/papers/ids-html/  or
http://www.circlemud.org/~jelson/writings/security/ .


== Bugs

Please send bug reports to jelson@circlemud.org.

tcpflow currently does not understand IP fragments.  Flows containing
IP fragments will not be recorded correctly.

tcpflow never frees state associated with flows that it records, so
will grow large if used to capture a very large number of flows (e.g.,
on the order of 100,000 flows or more).

There appears to be a bug in the way that Linux delivers packets to
libpcap when using the loopback interface ("localhost").  When
listening to the Linux loopback interface, selective packet filtering
is not possible; all TCP flows on the localhost interface will be
recorded.


Jeremy Elson
jelson@circlemud.org